You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Rob Anderson <ro...@gmail.com> on 2016/05/26 21:38:09 UTC
Zeppelin authentication / permissions while using both Shiro and AD
Hey Everyone,
I'm new to Zeppelin as of this week. I've managed to build and stand up
the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to authenticate
via Shiro using Active Directory. I'm able to authenticate without issue.
I'm having a problem setting / honoring notebook specific permissions.
Based on the documentation, I should be able specify a user or group for
the read, write or ownership permissions (
https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html).
This works as expected if I specify a username, but groups and roles do not
seem to work.
*Error:*
Insufficient privileges to write notebook.
Allowed users or roles: [admin, zeppelinWrite]
But the user randerson belongs to: [randerson]
It's seems clear that user randerson isn't mapped to any roles, or groups
(even though he of course is a member of the zeppelinWrite group in AD and
as a result also part of the local admin Role). A TCPDUMP reveals that
during login, all of my group memberships are in fact returned during the
ldap bind operation. However, when I attempt to modify a notebook, a call
is never made to AD, to pull back my group memberships. It doesn't seem to
look at my local group memberships (/etc/group) either.
I'm guessing I'm misunderstanding a concept(s) and / or missing a config
option(s) (although I have tried numerous combinations of everything I can
find online). My Shiro.ini is listed below. Any help you can offer is
appreciated.
Thanks much,
Rob
-------------------------------------------------------
shiro.ini
[users]
[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://<server>:389
adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix
groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
adRealm.searchBase = DC=company,DC=com
adRealm.systemUsername= <username>
adRealm.systemPassword= <password>
adRealm.principalSuffix=<@company>
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
securityManager.realms = $adRealm
[roles]
admin = *
[urls]
/api/version = anon
/** = authcBasic
Re: Zeppelin authentication / permissions while using both Shiro and AD
Posted by Vinay Shukla <vi...@gmail.com>.
Thanks Rob.
On Thursday, June 2, 2016, Rob Anderson <ro...@gmail.com> wrote:
> Done, thanks.
>
> https://issues.apache.org/jira/browse/ZEPPELIN-946
>
> On Wed, Jun 1, 2016 at 1:06 PM, Vinay Shukla <vinayshukla@gmail.com
> <javascript:_e(%7B%7D,'cvml','vinayshukla@gmail.com');>> wrote:
>
>> Rob,
>>
>> It appears to be bug, can you please file a JIRA to track this?
>>
>> Thanks,
>> Vinay
>>
>> On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <rockclimbingspam@gmail.com
>> <javascript:_e(%7B%7D,'cvml','rockclimbingspam@gmail.com');>> wrote:
>>
>>> Hey Everyone,
>>>
>>> I'm new to Zeppelin as of this week. I've managed to build and stand up
>>> the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to
>>> authenticate via Shiro using Active Directory. I'm able
>>> to authenticate without issue.
>>>
>>> I'm having a problem setting / honoring notebook specific permissions.
>>> Based on the documentation, I should be able specify a user or group for
>>> the read, write or ownership permissions (
>>> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html).
>>> This works as expected if I specify a username, but groups and roles do not
>>> seem to work.
>>>
>>> *Error:*
>>> Insufficient privileges to write notebook.
>>> Allowed users or roles: [admin, zeppelinWrite]
>>> But the user randerson belongs to: [randerson]
>>>
>>> It's seems clear that user randerson isn't mapped to any roles, or
>>> groups (even though he of course is a member of the zeppelinWrite group
>>> in AD and as a result also part of the local admin Role). A TCPDUMP
>>> reveals that during login, all of my group memberships are in fact returned
>>> during the ldap bind operation. However, when I attempt to modify a
>>> notebook, a call is never made to AD, to pull back my group memberships.
>>> It doesn't seem to look at my local group memberships (/etc/group) either.
>>>
>>> I'm guessing I'm misunderstanding a concept(s) and / or missing a config
>>> option(s) (although I have tried numerous combinations of everything I can
>>> find online). My Shiro.ini is listed below. Any help you can offer is
>>> appreciated.
>>>
>>> Thanks much,
>>>
>>> Rob
>>> -------------------------------------------------------
>>> shiro.ini
>>>
>>> [users]
>>>
>>> [main]
>>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>>> adRealm.url = ldap://<server>:389
>>> adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix
>>> groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
>>> adRealm.searchBase = DC=company,DC=com
>>> adRealm.systemUsername= <username>
>>> adRealm.systemPassword= <password>
>>> adRealm.principalSuffix=<@company>
>>>
>>> sessionManager =
>>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>>> securityManager.sessionManager = $sessionManager
>>> securityManager.sessionManager.globalSessionTimeout = 86400000
>>> shiro.loginUrl = /api/login
>>> securityManager.realms = $adRealm
>>> [roles]
>>> admin = *
>>> [urls]
>>> /api/version = anon
>>> /** = authcBasic
>>>
>>>
>>
>
Re: Zeppelin authentication / permissions while using both Shiro and AD
Posted by Rob Anderson <ro...@gmail.com>.
Done, thanks.
https://issues.apache.org/jira/browse/ZEPPELIN-946
On Wed, Jun 1, 2016 at 1:06 PM, Vinay Shukla <vi...@gmail.com> wrote:
> Rob,
>
> It appears to be bug, can you please file a JIRA to track this?
>
> Thanks,
> Vinay
>
> On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <ro...@gmail.com>
> wrote:
>
>> Hey Everyone,
>>
>> I'm new to Zeppelin as of this week. I've managed to build and stand up
>> the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to
>> authenticate via Shiro using Active Directory. I'm able
>> to authenticate without issue.
>>
>> I'm having a problem setting / honoring notebook specific permissions.
>> Based on the documentation, I should be able specify a user or group for
>> the read, write or ownership permissions (
>> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html).
>> This works as expected if I specify a username, but groups and roles do not
>> seem to work.
>>
>> *Error:*
>> Insufficient privileges to write notebook.
>> Allowed users or roles: [admin, zeppelinWrite]
>> But the user randerson belongs to: [randerson]
>>
>> It's seems clear that user randerson isn't mapped to any roles, or groups
>> (even though he of course is a member of the zeppelinWrite group in AD
>> and as a result also part of the local admin Role). A TCPDUMP reveals
>> that during login, all of my group memberships are in fact returned during
>> the ldap bind operation. However, when I attempt to modify a notebook, a
>> call is never made to AD, to pull back my group memberships. It doesn't
>> seem to look at my local group memberships (/etc/group) either.
>>
>> I'm guessing I'm misunderstanding a concept(s) and / or missing a config
>> option(s) (although I have tried numerous combinations of everything I can
>> find online). My Shiro.ini is listed below. Any help you can offer is
>> appreciated.
>>
>> Thanks much,
>>
>> Rob
>> -------------------------------------------------------
>> shiro.ini
>>
>> [users]
>>
>> [main]
>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>> adRealm.url = ldap://<server>:389
>> adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix
>> groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
>> adRealm.searchBase = DC=company,DC=com
>> adRealm.systemUsername= <username>
>> adRealm.systemPassword= <password>
>> adRealm.principalSuffix=<@company>
>>
>> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> securityManager.sessionManager = $sessionManager
>> securityManager.sessionManager.globalSessionTimeout = 86400000
>> shiro.loginUrl = /api/login
>> securityManager.realms = $adRealm
>> [roles]
>> admin = *
>> [urls]
>> /api/version = anon
>> /** = authcBasic
>>
>>
>
Re: Zeppelin authentication / permissions while using both Shiro and AD
Posted by Vinay Shukla <vi...@gmail.com>.
Rob,
It appears to be bug, can you please file a JIRA to track this?
Thanks,
Vinay
On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <ro...@gmail.com>
wrote:
> Hey Everyone,
>
> I'm new to Zeppelin as of this week. I've managed to build and stand up
> the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to
> authenticate via Shiro using Active Directory. I'm able
> to authenticate without issue.
>
> I'm having a problem setting / honoring notebook specific permissions.
> Based on the documentation, I should be able specify a user or group for
> the read, write or ownership permissions (
> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html).
> This works as expected if I specify a username, but groups and roles do not
> seem to work.
>
> *Error:*
> Insufficient privileges to write notebook.
> Allowed users or roles: [admin, zeppelinWrite]
> But the user randerson belongs to: [randerson]
>
> It's seems clear that user randerson isn't mapped to any roles, or groups
> (even though he of course is a member of the zeppelinWrite group in AD
> and as a result also part of the local admin Role). A TCPDUMP reveals
> that during login, all of my group memberships are in fact returned during
> the ldap bind operation. However, when I attempt to modify a notebook, a
> call is never made to AD, to pull back my group memberships. It doesn't
> seem to look at my local group memberships (/etc/group) either.
>
> I'm guessing I'm misunderstanding a concept(s) and / or missing a config
> option(s) (although I have tried numerous combinations of everything I can
> find online). My Shiro.ini is listed below. Any help you can offer is
> appreciated.
>
> Thanks much,
>
> Rob
> -------------------------------------------------------
> shiro.ini
>
> [users]
>
> [main]
> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> adRealm.url = ldap://<server>:389
> adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix
> groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
> adRealm.searchBase = DC=company,DC=com
> adRealm.systemUsername= <username>
> adRealm.systemPassword= <password>
> adRealm.principalSuffix=<@company>
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
> securityManager.realms = $adRealm
> [roles]
> admin = *
> [urls]
> /api/version = anon
> /** = authcBasic
>
>
Fwd: Zeppelin authentication / permissions while using both Shiro and AD
Posted by Rob Anderson <ro...@gmail.com>.
Hey Everyone,
I'm new to Zeppelin as of this week. I've managed to build and stand up
the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to authenticate
via Shiro using Active Directory. I'm able to authenticate without issue.
I'm having a problem setting / honoring notebook specific permissions.
Based on the documentation, I should be able specify a user or group for
the read, write or ownership permissions (
https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html).
This works as expected if I specify a username, but groups and roles do not
seem to work.
*Error:*
Insufficient privileges to write notebook.
Allowed users or roles: [admin, zeppelinWrite]
But the user randerson belongs to: [randerson]
It's seems clear that user randerson isn't mapped to any roles, or groups
(even though he of course is a member of the zeppelinWrite group in AD and
as a result also part of the local admin Role). A TCPDUMP reveals that
during login, all of my group memberships are in fact returned during the
ldap bind operation. However, when I attempt to modify a notebook, a call
is never made to AD, to pull back my group memberships. It doesn't seem to
look at my local group memberships (/etc/group) either.
I'm guessing I'm misunderstanding a concept(s) and / or missing a config
option(s) (although I have tried numerous combinations of everything I can
find online). My Shiro.ini is listed below. Any help you can offer is
appreciated.
Thanks much,
Rob
-------------------------------------------------------
shiro.ini
[users]
[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://<server>:389
adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix
groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
adRealm.searchBase = DC=company,DC=com
adRealm.systemUsername= <username>
adRealm.systemPassword= <password>
adRealm.principalSuffix=<@company>
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
securityManager.realms = $adRealm
[roles]
admin = *
[urls]
/api/version = anon
/** = authcBasic